For the past 18 months, a group of Russian hackers ran a silent operation of exploiting bank transfer systems to ultimately steal $10 million from ATMs in the US, Russia and UK, report researchers from Russian company Group-iB.
The first known attack was in 2016, when they compromised First Data’s STAR network in the US, Russia’s AW CRB network, stole OceanSystems’ Fed Link transfer system documents and spied on Russian bank networks. One US bank was breached at least twice. The hack did not affect users, as the hackers appeared more interested in bank vulnerabilities and intercepting transfers between banks. In each attack, the group stole approximately $500,000.
Dubbed MoneyTaker for the hijacking software used to corrupt payment orders, the group passed undetected because they operate with a distributed infrastructure, varying software bypassing methods and using the Metasploit framework. The malware deployed is stored in the computer memory which makes it hard to detect by security agents. The group also used fake security certificates named Microsoft, Yahoo, Bank of America and the US government.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” says Dmitry Volkov, co-founder Group-IB and Head of Intelligence.
“In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future.”
The operation compromised 15 banks in the US, two in Russia and one in the UK, and the group is likely to target Latin America next, as the compromised OceanSystems’ Fed Link system is used by 200 banks in the US and Latin America. Other targeted companies include a law firm and financial software businesses.
Group-iB presented their research to Interpol and Europol for further investigation.